CVE-2024-1740

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-1740

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1740.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-1740

Published

2024-04-10T17:15:53.293Z

Modified

2025-11-14T03:34:10.125622Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions.

References

Affected packages

Git / github.com/lunary-ai/lunary

Affected ranges

Type: GIT
Repo: https://github.com/lunary-ai/lunary
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c57cd50fa0477fd2a2efe60810c0099eebd66f54